Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 4 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned dependency and arbitrary code execution from external URL in manifest, Arbitrary code execution from untrusted pastebin for macOS agent installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-lxnyf/SKILL.md:10 | |
| CRITICAL | Unpinned dependency and arbitrary code execution from external URL in manifest The skill's manifest uses `sh -c "$(curl -sSfL https://release.solana.com/stable/install)"` to install the Solana CLI. This command downloads and executes a script directly from an external URL without pinning a specific version or verifying its integrity. This poses a critical supply chain risk, as a compromise of `release.solana.com` or the script itself could lead to arbitrary code execution on the agent's host system with the agent's permissions. It also represents a command injection vector. Avoid direct execution of unverified scripts from external URLs. Instead, consider using package managers, cryptographically signed binaries, or at least pinning to a specific version/hash of the script. If a script must be downloaded, verify its checksum before execution. | LLM | SKILL.md:5 | |
| CRITICAL | Arbitrary code execution from untrusted pastebin for macOS agent installation The skill instructs macOS users to visit `https://glot.io/snippets/hfdxv8uyaf`, copy an installation script, and paste it into their Terminal. `glot.io` is a code pastebin service, which is an untrusted source for executable code. The content of the snippet can be changed at any time by the snippet owner, potentially introducing malicious commands that would be executed directly by the user, leading to arbitrary code execution and system compromise. This is a severe supply chain risk and command injection vector. Do not instruct users to download and execute scripts from untrusted sources like pastebin services. Provide a verified, signed, and version-controlled installer or a script from a trusted, dedicated distribution channel. | LLM | SKILL.md:13 | |
| CRITICAL | Instruction to import private key via CLI The skill explicitly provides instructions for exporting a private key from Phantom and then importing it into the Solana CLI using `solana-keygen recover ASK`. While presented as a user action, this instruction directly facilitates the handling of highly sensitive credentials (private keys). If an LLM were to automate this process, or if a user is tricked into performing this action with a compromised agent, it could lead to the direct harvesting and compromise of their cryptocurrency wallet private key. Avoid providing instructions that directly handle or expose private keys. If such functionality is absolutely necessary, emphasize extreme caution, implement robust security checks, and ensure the process is entirely user-controlled with explicit consent at every step, without any automation by the agent. | LLM | SKILL.md:86 | |
| HIGH | External binary download for Windows agent installation The skill instructs Windows users to download `openclaw-agent.zip` from a specific GitHub release URL (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`). While GitHub is generally a trusted platform, relying on a specific, unverified third-party repository for executable binaries introduces a supply chain risk. If the `hedefbari/openclaw-agent` repository or its release assets are compromised, users could download and execute malicious software. Provide binaries from a verified, official source with cryptographic signatures. If using a third-party repository, ensure it is well-vetted and consider providing checksums for downloaded files that users can verify. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/f6aa005a3bab009a)
Powered by SkillShield